Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery, dubbed the “ClickFix” infection chain.
This novel attack strategy leverages advanced social engineering techniques to manipulate unsuspecting users into executing malicious scripts, leading to severe security breaches.
This article delves into the intricacies of the ClickFix method, its implications, and the steps users can take to protect themselves.
The ClickFix Infection Chain
The ClickFix infection chain begins with users being lured to visit seemingly legitimate but compromised websites.
These websites are meticulously crafted to appear genuine, significantly increasing the likelihood of user compliance. Upon visiting these sites, victims are redirected to domains hosting fake popup windows.
These popups instruct users to paste a script into a PowerShell terminal, a command-line shell used for task automation and configuration management.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files
Once the script is pasted and executed in the PowerShell terminal, the malware can infiltrate the victim’s system. This can lead to data theft, system compromise, or further propagation of the malware.
The sophistication of this method lies in its ability to exploit the trust users place in seemingly authentic websites and prompts.
Malware Families Leveraging ClickFix
Two notable malware families, Lumma Stealer and DarkGate, have been observed leveraging the ClickFix technique.
Lumma Stealer is known for its ability to extract sensitive information, including passwords, credit card details, and other personal data, from infected systems.
DarkGate, on the other hand, is a more advanced threat that steals sensitive information, provides remote access, and establishes persistent backdoors in compromised systems.
DarkGate employs advanced evasion tactics, making it difficult to detect and remove. It can spread within networks, posing a significant cybersecurity threat.
Combining these malware families with the ClickFix technique represents a formidable challenge for cybersecurity professionals.
The Role of Phishing Emails
McAfee Labs obtained a phishing email from their spamtrap containing an HTML attachment masquerading as a Word document. Phishing emails play a crucial role in the ClickFix infection chain.
The HTML file displayed an error prompt designed to deceive users into taking actions that could lead to the download and execution of malicious software.
The phishing email tactic is particularly effective because it exploits the user’s familiarity with common file types and error messages.
By presenting a seemingly legitimate problem and offering a solution, the attackers increase the likelihood that users will follow the instructions and inadvertently execute the malicious script.
Technical Analysis
Upon examining the code within the HTML attachment, researchers discovered several base64-encoded content blocks. These blocks contained the malicious script users were instructed to paste into their PowerShell terminal.
The script, once executed, initiates the malware download and installation process.
This method of encoding and disguising the malicious script is a testament to the attackers’ sophistication. By hiding the true nature of the script within encoded blocks, they make it more challenging for automated security systems to detect and block the threat.
Protecting Against ClickFix
To protect against the ClickFix infection chain and similar threats, users should follow these best practices:
- Be Cautious with Emails and Attachments: Always verify the sender’s identity before opening any email attachments, especially if they are unexpected or from unknown sources.
- Avoid Pasting Scripts: Never paste scripts or commands from untrusted sources into your terminal or command prompt.
- Use Security Software: Ensure your security software is up-to-date and capable of detecting and blocking advanced threats.
- Educate Yourself and Others: Stay informed about the latest cybersecurity threats and educate others about the risks and best practices for staying safe online.
The discovery of the ClickFix infection chain highlights the ever-evolving nature of cyber threats and the importance of vigilance in the digital age.
By understanding the tactics used by attackers and taking proactive measures to protect themselves, users can reduce the risk of falling victim to these sophisticated social engineering schemes.
As cybersecurity threats continue to grow in complexity, staying informed and cautious is more critical than ever.
Indicators of Compromise (IoCs)
File | SHA256 |
DarkGate | |
c5545d28faee14ed94d650bda28124743e2d7dacdefc8bf4ec5fc76f61756df3 | |
Html | 0db16db812cb9a43d5946911501ee8c0f1e3249fb6a5e45ae11cef0dddbe4889 |
HTA | 5c204217d48f2565990dfdf2269c26113bd14c204484d8f466fb873312da80cf |
PS | e9ad648589aa3e15ce61c6a3be4fc98429581be738792ed17a713b4980c9a4a2 |
ZIP | 8c382d51459b91b7f74b23fbad7dd2e8c818961561603c8f6614edc9bb1637d1 |
AutoIT script | 7d8a4aa184eb350f4be8706afb0d7527fca40c4667ab0491217b9e1e9d0f9c81 |
Lumma Stealer | |
URL | tuchinehd[.]com |
PS | 07594ba29d456e140a171cba12d8d9a2db8405755b81da063a425b1a8b50d073 |
ZIP | 6608aeae3695b739311a47c63358d0f9dbe5710bd0073042629f8d9c1df905a8 |
EXE | e60d911f2ef120ed782449f1136c23ddf0c1c81f7479c5ce31ed6dcea6f6adf9 |
"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo